The current state of ransomware: VirLock, ThreatFinder, CrypVault and PowerShell-based

ransomware-150In our blog series on the current state of ransomware, we have presented an in-depth analysis of the four most prevalent variants and described various aspects of their operation, their infection mechanisms and the geographic distribution of each variant across the globe.

Those variants are: CryptoWallTorrentLockerCTB-Locker and TeslaCrypt.

Now we will explore several less common but more novel variants: viral ransomware (VirLock), ThreatFinder, CrypVault and PowerShell-based ransomware (Los Pollos Hermanos).

Continue reading

The current state of ransomware: TeslaCrypt

ransomware-150So far, our series on the current state of ransomware has taken an in-depth look at three ransomware families: CryptoWallTorrentLocker and CTB-Locker. Today we’ll talk about the variant known as TeslaCrypt.

TeslaCrypt (a.k.a. EccKrypt) is one of the most recent ransomware variants we’ve seen widely that encrypts certain user files and demands a ransom be paid to decrypt the files. Similar to other variants, it uses an AES symmetric algorithm to encrypt files.

TeslaCrypt is distributed widely via the Angler exploit kit and a few other known exploit kits. Using Angler, it exploits Adobe Flash (CVE-2015-0311) and, once successfully exploited, it downloads TeslaCrypt as a payload.

Continue reading

The current state of ransomware: CTB-Locker

RansomwareIn our series on the current state of ransomware, we previously looked at CryptoWall and TorrentLocker. In this post, we’ll examine a variant called CTB-Locker.

CTB-Locker is a ransomware variant that encrypts files on a victim’s hard disk before demanding a ransom be paid to decrypt the files.

CTB-Locker is noteworthy for its high infection rates, use of Elliptic Curve Cryptography, Tor and bitcoins, and its multi-lingual capabilities.

Continue reading

The current state of ransomware: TorrentLocker

RansomwareThe scourge of file-encrypting ransomware has emerged as a major threat since the runaway success of CryptoLocker, which first appeared in September 2013. Although law enforcement took out the CryptoLocker server infrastructure in 2014, malware authors rapidly moved in to fill the void with new variants.

With this in mind, SophosLabs threat researchers James Wyke and Anand Ajjan recently published a thorough and well-written paper entitled The Current State of Ransomware, giving their expert analysis of the newer strains, how they work, and what individuals and businesses can do to stay secure.

In our blog series looking at this research, we began with our post on one of the most prevalent ransomware families, CryptoWall. Today, we’ll take a closer look at TorrentLocker, a family of file-encrypting ransomware that is almost exclusively distributed through spam email campaigns and is noteworthy for being very geographically targeted. Both ransom notes and initial lures are localized to the targeted region, and the number of regions observed to have been targeted by TorrentLocker is considerable.

Continue reading

Holiday security song #3: Ransomware

Sophos Home

In honor of the holidays, we’ve been sharing some light-hearted holiday songs with a serious security message each day this week.

First, it was a song about unprotected data flying “over the network and through the cloud.” Then we shared a song about our “least favorite things,” from exploit kits to macro malware.

In today’s conclusion of three days of holiday security songs, we see what happens when the joy of a sleigh ride is replaced by a night of malware cleanup.

Continue reading

The current state of ransomware: CryptoWall

Ransomware Ransomware has become one of the most widespread and damaging threats that Internet users face. Since the infamous CryptoLocker first appeared in 2013, we’ve seen a new era of file-encrypting ransomware variants delivered through spam messages and exploit kits, extorting money from home users and businesses alike.

The current wave of ransomware families can have their roots traced back to the early days of fake antivirus, through Locker variants and finally to the file-encrypting variants that are prevalent today. Each distinct category of malware has shared a common goal – to extort money from victims through social engineering and outright intimidation.

SophosLabs has published new research examining the recent evolution in file-encrypting ransomware, in our paper titled The Current State of Ransomware. We look at the most prevalent variants including CryptoWall, TorrentLocker, CTB-Locker and TeslaCrypt – as well more obscure variants that employ novel or interesting techniques. In this blog post, the first in a series about ransomware, we take an in-depth look at CryptoWall.

Continue reading